Systems and methods for computer worm defense
First Claim
1. A computer worm defense system comprising:
- a plurality of computer worm containment systems, each computer worm containment system comprisinga worm sensor implemented in a computing device and configured to generate a computer worm identifier for a computer worm propagating within a communication network, the worm sensor comprisingan alternate computer network, communications traffic being monitored on a communication network and filtered from the communication network for analysis by the alternate computer network, the filtered communications traffic having one or more suspicious characteristics of a computer worm, wherein the one or more suspicious characteristics indicating that the filtered communication traffic should be analyzed to determine whether or not the filtered communications traffic comprises a computer worm; and
a controller configured to monitor the alternate computer network, and to determine whether the filtered communications traffic comprises a computer worm by analysis of the filtered communications traffic, the controller being operable tomonitor a replay of transmission of the filtered communications traffic within the alternate computer network, andwhen the filtered communications traffic is determined to comprise a computer worm, generate the computer worm identifier for the computer worm based on anomalous behavior caused within the alternate computer network during replay of transmission of the filtered communications traffic by the computer worm.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer worm defense system comprises multiple containment systems tied together by a management system. Each containment system is deployed on a separate communication network and contains a worm sensor and a blocking system. In various embodiments, the computer worm may be transported from a production network, where the computer worm is not readily identifiable, to an alternate network in the worm sensor where the computer worm may be readily identifiable. Computer worm identifiers generated by a worm sensor of one containment system can be provided not only to the blocking system of the same containment system, but can also be distributed by the management system to blocking systems of other containment systems.
280 Citations
30 Claims
-
1. A computer worm defense system comprising:
a plurality of computer worm containment systems, each computer worm containment system comprising a worm sensor implemented in a computing device and configured to generate a computer worm identifier for a computer worm propagating within a communication network, the worm sensor comprising an alternate computer network, communications traffic being monitored on a communication network and filtered from the communication network for analysis by the alternate computer network, the filtered communications traffic having one or more suspicious characteristics of a computer worm, wherein the one or more suspicious characteristics indicating that the filtered communication traffic should be analyzed to determine whether or not the filtered communications traffic comprises a computer worm; and a controller configured to monitor the alternate computer network, and to determine whether the filtered communications traffic comprises a computer worm by analysis of the filtered communications traffic, the controller being operable to monitor a replay of transmission of the filtered communications traffic within the alternate computer network, and when the filtered communications traffic is determined to comprise a computer worm, generate the computer worm identifier for the computer worm based on anomalous behavior caused within the alternate computer network during replay of transmission of the filtered communications traffic by the computer worm. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
15. A computer worm defense method comprising:
-
monitoring communications traffic from a communication network; filtering the communications traffic from the communication network, the filtered communications traffic having one or more suspicious characteristics of a computer worm, wherein the one or more suspicious characteristics indicating that the filtered communication traffic should be analyzed to determine whether or not the filtered communications traffic comprises a computer worm; determining whether the filtered communications traffic comprises a computer worm by analyzing the filtered communications traffic, the analyzing comprising monitoring a replay of transmission of the filtered communications traffic within an alternate computer network of a computer worm containment system; and when the filtered communications traffic is determined to comprise a computer worm, generating a computer worm identifier for the computer worm based on anomalous behavior caused within the alternate computer network during replay of transmission of the filtered communications traffic by the computer worm. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A non-transitory machine readable medium having embodied thereon executable code, the executable code being executable by a processor to perform a computer worm defense method comprising:
-
monitoring communications traffic from a communication network; filtering the communications traffic from the communication network, the filtered communications traffic having one or more suspicious characteristics of a computer worm, wherein the one or more suspicious characteristics indicating that the filtered communication traffic should be analyzed to determine whether or not the filtered communications traffic comprises a computer worm; determining whether the filtered communications traffic comprises a computer worm by analyzing the filtered communications traffic, the analyzing comprising monitoring a replay of transmission of the filtered communications traffic within an alternate computer network of a computer worm containment system; and when the filtered communications traffic is determined to comprise a computer worm, generating a computer worm identifier for the computer worm based on anomalous behavior caused within the alternate computer network during replay of transmission of the filtered communications traffic by the computer worm.
-
Specification